From ad0d83bd6fdd03d6d0bf9c347ec445e0fe17c093 Mon Sep 17 00:00:00 2001 From: Dima Ryazanov Date: Wed, 14 Nov 2018 22:55:22 -0800 Subject: [PATCH] Don't look for weston.ini in the current working directory It's a bit surprising that Weston looks different when launched from the root of the git repo vs from elsewhere. But it's also technically a security vulnerability: if I launch it from a directory like /tmp, it might pick up a weston.ini created by another user, which could then load modules with arbitrary code. Basically, it's the same problem as including "." in $PATH. Signed-off-by: Dima Ryazanov --- man/weston.ini.man | 1 - man/weston.man | 4 +--- shared/config-parser.c | 8 ++------ 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/man/weston.ini.man b/man/weston.ini.man index c12e0505..2171b960 100644 --- a/man/weston.ini.man +++ b/man/weston.ini.man @@ -27,7 +27,6 @@ server is started: .B "weston/weston.ini in each" .BR "\ \ \ \ $XDG_CONFIG_DIR " "(if $XDG_CONFIG_DIRS is set)" .BR "/etc/xdg/weston/weston.ini " "(if $XDG_CONFIG_DIRS is not set)" -.BR "/weston.ini " "(if no variables were set)" .fi .RE .PP diff --git a/man/weston.man b/man/weston.man index c09d4c2d..c1aa6476 100644 --- a/man/weston.man +++ b/man/weston.man @@ -261,14 +261,12 @@ See .SH FILES . If the environment variable is set, the configuration file is read -from the respective path, or the current directory if neither is set. +from the respective path. .PP .BI $XDG_CONFIG_HOME /weston.ini .br .BI $HOME /.config/weston.ini .br -.I ./weston.ini -.br . .\" *************************************************************** .SH ENVIRONMENT diff --git a/shared/config-parser.c b/shared/config-parser.c index ae5f8035..7b1402d2 100644 --- a/shared/config-parser.c +++ b/shared/config-parser.c @@ -75,8 +75,7 @@ open_config_file(struct weston_config *c, const char *name) } /* Precedence is given to config files in the home directory, - * and then to directories listed in XDG_CONFIG_DIRS and - * finally to the current working directory. */ + * then to directories listed in XDG_CONFIG_DIRS. */ /* $XDG_CONFIG_HOME */ if (config_dir) { @@ -111,10 +110,7 @@ open_config_file(struct weston_config *c, const char *name) next++; } - /* Current working directory. */ - snprintf(c->path, sizeof c->path, "./%s", name); - - return open(c->path, O_RDONLY | O_CLOEXEC); + return -1; } static struct weston_config_entry *